CRYPTOGRAPHIC PROPERTIES of ADDITION MODULO 2N

CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2n

S. M. DEHNAVI∗, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA

Abstract. The operation of modular addition modulo a power of two is one of the most applied operations in symmetric cryptography. For example, modular addition is used in RC6, MARS and Twoﬁsh block ciphers and RC4, Bluetooth and Rabbit stream ciphers. In this paper, we study statistical and algebraic properties of modular addition modulo a power of two. We obtain the probability distribution of modular addition carry bits along with conditional probability distribution of these carry bits. Using these probability distributions and Markovity of modular addition carry bits, we compute the joint probability distribution of arbitrary number of modular addition carry bits. Then, we examine algebraic properties of modular addition with a constant and obtain the number of terms as well as the algebraic degrees of the component Boolean functions of the output of modular addition with a constant. Finally, we present another formula for the ANF of component Boolean functions of modular addition modulo a power of two. This formula contains more information than representations which are presented in cryptographic literature, up to now.

Keywords: Modular addition, Boolean function, Component Boolean function, Carry bit, Algebraic degree ∗ std−[email protected] 1 2 S. M. Dehnavi et al.

1. Introduction

The operation of modular addition modulo a power of two is one of the most applied operations in symmetric cryptography. For instance, modular addition is used in RC6[8], MARS[4] and Twoﬁsh[9] block ciphers and RC4[7], Bluetooth[1] and Rabbit[2] stream ciphers. In this paper, we investigate statistical and algebraic properties of modular addition modulo a power of two. Firstly, we obtain the probability distribution of modular addition carry bits and conditional probability distribution of these carry bits. Then, using these probability distributions and Markovity of modular addition carry bits, we compute the joint probability distribution of arbitrary number of modular addition carry bits. Algebraic properties of modular addition modulo a power of two is studied in [3]. We examine algebraic properties of modular addition with a constant and obtain the number of terms and algebraic degrees of the component Boolean functions of the output of modular addition with a constant. Finally, we present another formula for the ANF of component Boolean functions of modular addition modulo a power of two. This formula contains more information than previous representations which have been presented in cryptographic literature, up to now. Section 2 presents preliminary notations and deﬁnitions. In Section 3 we investigate the probability distribution of modular addition carry bits. Section 4 studies algebraic properties of modular addition with a constant and Section 5 is the conclusion.

2. Preliminaries

In this paper, the number of elements (cardinal) of a ﬁnite set A is denoted by |A|. Hamming weight of a natural number or a binary vector x is denoted by w(x). For two numbers or binary vectors x, y, d(x, y) denotes their Hamming distance. The i-th bit of a natural number or a binary vector x is denoted by xi. The notation ∧ is used for AND operation, ≫ is used for cyclic right shift or rotation operation and ⊕ is used for XOR operation. n Let Z2n be the ring of integers modulo 2 . For each a ∈ Z2n , the n unique integera ¯ ∈ Z2n witha ¯ + a = 2 − 1 is called the complement of a. Cryptographic Properties of Addition 3

Let F2 be the ﬁeld with two elements. There is a one-to-one correspon- Z n Fn dence between 2n , the ring of integers modulo 2 and 2 , Cartesian product of n copies of F2: Fn → Z φ : 2 2n ,

n∑−1 i x = (xn−1, ..., x0) 7→ φ(x) = xi2 . i=0 ≺ Fn Now let be the partial order on 2 deﬁned as

x ≺ a ⇔ xi ≤ ai, 0 ≤ i < n.

∈ Fn u un−1 u0 ≤ For x, u 2 , we deﬁne x = xn−1 ...x0 where xi and ui, 0 i < n, are the i-th components or bits of x and u, respectively. Fn → F Every function f : 2 2 is called a Boolean function. Any Boolean function has a unique algebraic representation called its Algebraic Nor- mal Form or ANF[5]. In fact, ⊕ u f(x) = hux , hu ∈ F2.

u∈Z2n where, ⊕ hu = f(x). x≺u Algebraic degree of a Boolean function f is denoted by d(f) and is equal to the number of variables in the longest term in the ANF of f, or equivalently, it is equal to the greatest value of w(u) among all terms with hu ≠ 0. The number of terms in the ANF of the Boolean function f is denoted by n(f). Fm → Fn Every function f : 2 2 with n > 1 is called a vectorial Boolean function or a Boolean map. Such a function can be represented as a vector of Boolean functions (fn−1, ..., f0), where each fi, 0 ≤ i < n, Fm → F is a Boolean function fi : 2 2 and is called the i-th component Boolean function. Moreover, similar to the case of Boolean functions, Fm → Fn any vectorial Boolean function f : 2 2 has a unique representation called its vectorial ANF. In fact, ⊕ u ∈ Fn f(x) = hux , hu 2 . u∈Z2m 4 S. M. Dehnavi et al.

∈ Fm Fm The inner product of two vectors a, b 2 in 2 is defined by m⊕−1 a.b = aibi, i=0 and the inner product of these vectors in the set of real numbers is defined by m∑−1 a ◦ b = aibi. i=0 For any nonzero element a ∈ Z2n , the greatest power of 2 that divides Fm → a is denoted by p(a). We define p(0) := n. For two functions f, g : 2 Fn 2 , we define Pf,g as, |{x ∈ Fm|f(x) = g(x)}| P = 2 . f,g 2m and Ef,g as, ∑ ∑ n−1 m x∈Fm d(f(x), g(x)) |{x ∈ F |f (x) = g (x)}| E = n − 2 = i=0 2 i i . f,g 2m 2m where fi’s and gi’s, 0 ≤ i < n, are the i-th component Boolean functions of f and g.

3. Probability Distribution of Carry Bits

There is a well-known recursive formula for the carry bits of modular addition modulo a power of two: Deﬁne F2n → Fn f : 2 2 , z = f(x, y) = x + y (mod 2n). Then we have,

zi = xi ⊕ yi ⊕ ci, 0 ≤ i < n, (3.1) c0 = 0, ci = xi−1yi−1 ⊕ ci−1(xi−1 ⊕ yi−1), 1 ≤ i < n. We use this formula in the proof of the following theorems.

Theorem 3.1. Let x, y ∈ Z2n . We have x + y = (x ⊕ y) + 2(x ∧ y) (mod 2n). Cryptographic Properties of Addition 5

Proof. Suppose that z = x + y (mod 2n), a = x ⊕ y, b = 2(x ∧ y) and c = a + b (mod 2n). From (3.1), we have

zi = xi ⊕ yi ⊕ di, 0 ≤ i < n, d0 = 0, di = xi−1yi−1 ⊕ di−1(xi−1 ⊕ yi−1), 1 ≤ i < n. Also, b0 = 0,

bi = xi−1yi−1, 1 ≤ i < n,

ai = xi ⊕ yi, 0 ≤ i < n; and, ci = ai ⊕ bi ⊕ ei, 0 ≤ i < n, e0 = 0, ei = ai−1bi−1 ⊕ ei−1(ai−1 ⊕ bi−1), 1 ≤ i < n. At ﬁrst we prove:

(3.2) ei = di ⊕ xi−1yi−1, 1 ≤ i < n. We use induction on i. For i = 1, we have

d1 = x0y0 ⊕ d0(x0 ⊕ y0) = x0y0,

e1 = a0b0 ⊕ e0(a0 ⊕ b0) = a0b0 = 0. So, e1 = d1 ⊕ x0y0. Now assume that (3.2) is valid for i − 1. Then, ei ⊕ xi−1yi−1 = ai−1bi−1 ⊕ ei−1(ai−1 ⊕ bi−1) ⊕ xi−1yi−1 = (xi−1 ⊕ yi−1)xi−2yi−2 ⊕ (di−1 ⊕ xi−2yi−2)(xi−1 ⊕ yi−1 ⊕ xi−2yi−2) ⊕ xi−1yi−1 = (xi−1⊕yi−1)xi−2yi−2⊕di−1(xi−1⊕yi−1)⊕di−1xi−2yi−2⊕xi−2yi−2(xi−1⊕ yi−1) ⊕ xi−2yi−2 ⊕ xi−1yi−1 = (xi−1yi−1 ⊕ di−1(xi−1 ⊕ yi−1)) ⊕ di−1xi−2yi−2 ⊕ xi−2yi−2 = di ⊕ di−1xi−2yi−2 ⊕ xi−2yi−2 = di.

The last equation is obtained by multiplying two sides of the equation

di−1 = xi−2yi−2 ⊕ di−2(xi−2 ⊕ yi−2) by xi−2yi−2. In fact, we have

di−1xi−2yi−2 = xi−2yi−2 ⊕ di−2xi−2yi−2 ⊕ di−2xi−2yi−2 = xi−2yi−2. This proves validity of (3.2). Now we are ready to prove c = z:

c0 = a0 ⊕ b0 ⊕ e0 = a0 ⊕ b0 = x0 ⊕ y0 = x0 ⊕ y0 ⊕ d0 = z0, 6 S. M. Dehnavi et al. and for i > 0, ci = ai ⊕ bi ⊕ ei = (xi ⊕ yi) ⊕ xi−1yi−1 ⊕ di ⊕ xi−1yi−1 = xi ⊕ yi ⊕ di = zi. □

As a result of Theorem 3.1, we can ﬁnd Pf,g, where f is the map of modular addition modulo 2n and g is the bitwise XOR map: for f and g to be equal, it suﬃces to have 2(x ∧ y) = 0. By a simple combinatorial enumeration, we get ( ) − 3 n 1 (3.3) P = . f,g 4 In other words, (3.3) gives an approximation of modular addition with bitwise XOR. There is a well-known fact about the distribution of carry bits of modular addition:

n Theorem 3.2. If x, y ∈ Z2n and z = x + y (mod 2 ), then, 1 1 P (c = 0) = + , 0 ≤ i < n. i 2 2i+1

Here, according to (3.1), ci, 0 ≤ i < n, is the i-th carry bit of modular addition. Regarding the maps f and g in (3.3) and using Theorem 3.2, we have − ( ) n∑1 1 1 n 2n − 1 E = + = + . f,g 2 2i+1 2 2n i=0

Theorem 3.3. Regarding the notations of Theorem 3.2, if (an−1, ..., a0) ∈ Fn 2 is given, then, {( ) 3 n−1 −w(b) 4 3 a0 = 0, P (cn−1 = an−1, ..., c0 = a0) = 0 a0 ≠ 0.

Here, ci’s, 0 ≤ i < n, are modular addition carry bits and the vector b is b = (bn−1, ..., b0) = (an−1 ⊕ an−2, ..., a1 ⊕ a0, 0).

Proof. In the case a0 = 1, there is nothing to prove, because c0 = 0. If a0 ≠ 1, it is not hard to see that 3 P (c = 0|c − = 0) = P (c = 1|c − = 1) = , i i 1 i i 1 4 Cryptographic Properties of Addition 7 and, 1 P (c = 0|c − = 1) = P (c = 1|c − = 0) = . i i 1 i i 1 4 Relation (3.1) and a simple calculation show that the sequence or sto- chastic process {ci}i≥0 is a Markov chain. More precisely, we have

P (ci = ai|ci−1 = ai−1, ..., c0 = a0) = P (ci = ai|ci−1 = ai−1). Therefore, | ··· P (cn−1 = an−1, ..., c0( =) 0)=( )P (c0 = 0)P (c1 = a1 c0 = 0) P (cn−1 = 3 d1 1 d2 3d1 a − |c − = a − )= = , n 1 n 2 n 2 4 4 4d1+d2 where, d1 = |{j|0 ≤ j < n − 1, aj = aj+1}|, d2 = |{j|0 ≤ j < n − 1, aj ≠ aj+1}|. It is clear that d1 = n − w(b) − 1 and d1 + d2 = n − 1. This ends the proof. □ We note that (3.3) can also be derived from Theorem 3.3. Theorem 3.4. According to the notations of Theorem 3.3, for every i ≥ 2 and 1 ≤ j < i, and any two bits a, b, we have 1 (−1)a+b (3.4) P (c = a|c − = b) = + . i i j 2 2j+1 Proof. The case i = 2 for every 1 ≤ j < i or j = 1 has been proved in Theorem 3.3. By induction, suppose that (3.4) is valid for i and every 1 ≤ j < i. We will prove the validity of (3.4) for i + 1 and every 1 ≤ j < i + 1:

P (ci+1=a,ci+1−j =b) P (ci+1 = a|ci+1−j = b) = P (ci+1−j =b) = P (ci+1=a,ci=0,ci+1−j =b) + P (ci+1=a,ci=1,ci+1−j =b) P (ci+1−j =b) P (ci+1−j =b) | | = P (ci+1−j =b)P (ci=0 ci+1−j =b)P (ci+1=a ci=0,ci+1−j =b) P (ci+1−j =b) | | + P (ci+1−j =b)P (ci=1 ci+1−j =b)P (ci+1=a ci=1,ci+1−j =b) P (ci+1−j =b)

= P (ci = 0|ci+1−j = b)P (ci+1 = a|ci = 0) + P (ci = 1|ci+1−j = b)P (ci+1 = a|ci = 1) ( )( ) ( )( ) 1 (−1)b 1 (−1)a 1 (−1)b+1 1 (−1)a+1 1 (−1)a+b = 2 + 2j 2 + 22 + 2 + 2j 2 + 22 = 2 + 2j+1 . □ 8 S. M. Dehnavi et al.

≤ ≤ ∈ Fr Theorem 3.5. For every 2 r n and a 2 with a = (ar−1, ..., a0), and every (jr−1, ..., j0) satisfying 0 < j0 < ... < jr−1 < n, we have ( ) r∏−1 ( ) 1 (−1)ak+ak−1 P cjr−1 = ar−1, ..., cj0 = a0 = + − . 2 2jk jk−1+1 k=0

Here a−1 = j−1 := 0. Proof. The proof is the same as Theorem 3.4. Using equations (3.1) directly or equivalently using Markovity of {ci}i≥0, we have ( )

P cjr−1 = ar−1, ..., cj0 = a0 r∏−1 ( ) | = P (cj0 = a0) P cjk = ak cjk−1 = ak−1, ..., cj0 = a0 k=1 r−1 r−1 ( ) ∏ ( ) ∏ − ak+ak−1 | 1 ( 1) = P (cj0 = a0) P cj = ak cj − = ak−1 = + − . k k 1 2 2jk jk−1+1 k=1 k=0 □

4. Algebraic Properties of Modular Addition with a Constant

In this section, we study algebraic properties of modular addition with a constant. We obtain the algebraic degree and the number of terms in the ANF of the component Boolean functions of modular addition with a constant. The proof of the following theorem can be found in [3]. Theorem 4.1. Let F2n → Fn f : 2 2 , f(x, y) = x + y (mod 2n). Then for each i, 0 ≤ i < n, we have

d(fi) = i + 1, i n(fi) = 2 + 1.

Theorem 4.2. Let a ∈ Z2n be given and, Fn → Fn f : 2 2 , z = f(x) = x + a (mod 2n). Cryptographic Properties of Addition 9

Then for each i, 0 ≤ i < n,  1 i < p(a), n(fi) = 2 i = p(a),  w(a,i) 2 + ai i > p(a).

Here, we deﬁne w(a, i) := w(0, ..., 0, ai−1, ..., a0). Proof. Suppose that p(a) = k. If i < k, then according to (3.1), we have ai = ci = 0. So zi = xi and n(fi) = 1. If i = k, then by (3.1), we have ai = 1 and ci = 0; so zi = xi ⊕ 1 and n(fi) = 2. Now if i > k, then according to (3.1), we have zi = xi ⊕ ai ⊕ ci and n(fi) = 1 + ai + n(ci). By induction on i, we prove that for any i > k, w(a,i) n(ci) = 2 − 1: for i = k + 1 we have

ck+1 = xk, w(a, k + 1) = w(0, ..., 0, 1, 0, ..., 0) = 1. w(a,k+1) So, n(ck+1) = 1 = 2 − 1. Suppose that for i > k + 1, n(ci) = 2w(a,i) − 1. According to (3.1), for i + 1 we have

ci+1 = xiai ⊕ ci(xi ⊕ ai).

Now if ai = 0, then w(a, i + 1) = w(a, i) and n(ci+1) = n(ci). So, w(a,i+1) n(ci+1) = 2 − 1, and if ai = 1, then w(a, i + 1) = w(a, i) + 1 and n(ci+1) = 2n(ci) + 1. Thus, ( ) w(a,i) w(a,i+1) n(ci+1) = 2 2 − 1 + 1 = 2 − 1. w(a,i) w(a,i) Threfore, for all i > k, n(ci) = 2 − 1 and n(fi) = 2 + ai. □ Theorem 4.2 shows that, if a constant a has more ones in its binary representation, then zn−1 would have more terms in its ANF. Theorem 4.3. With the notations of Theorem 4.2 we have { 1 i ≤ p(a) + 1, d(fi) = i − p(a) i > p(a) + 1. Proof. Using equation (3.1), we have { 1 d(ci) ≤ 1, d(fi) = d(ci) d(ci) > 1. Now, suppose that p(a) = k. Then,

a0 = ... = ak−1 = 0, ak = 1, 10 S. M. Dehnavi et al. and, if we replace the above values in equation (3.1), then we have

c0 = ... = ck = 0, ck+1 = xk.

So we have d(ci) ≤ 1 and d(fi) = 1, for any i ≤ k + 1 = p(a) + 1. Now we prove by induction that for any i > p(a) + 1, d(zi) = i − p(a): according to (3.1), for i = p(a) + 2 = k + 2, we have

ci = ck+2 = xk+1ak+1 ⊕ ck+1(xk+1 ⊕ ak+1), and,

d(ck+2) = 2.

Thus d(fk+2) = 2 = i−p(a). Suppose that for i > k+2, d(zi) = i−p(a). Then, for i + 1 we have

d(ci+1) = d(ci) + 1 = i − k + 1 > 2.

Therefore, d(fi+1) = i + 1 − p(a) and this ends the proof. □ Example. Suppose that z = x + 13 (mod 28). We have p(13) = 0. So by Theorems 4.2 and 4.3, we have

n(z0) = 2,

n(z1) = n(z2) = 3,

n(z3) = 5,

n(z4) = n(5) = n(z6) = n(z7) = 7. and,

d(z0) = 1,

d(zi) = i, 1 ≤ i ≤ 7. In the following theorems, we shall study other forms of the ANF of modular addition. The proof of following theorem can be found in [3]. Theorem 4.4. Let F2n → Fn f : 2 2 , z = f(x, y) = x + y (mod 2n). For any i, 0 ≤ i ≤ n − 1, we have ⊕2i t 2i−t zi = x y . t=0 Cryptographic Properties of Addition 11

Theorem 4.5. Let F2n → Fn f : 2 2 , f(x, y) = x + y (mod 2n). Then any monomial appears exactly once in vectorial ANF of f. Proof. According to Theorem 4.4, for all 0 ≤ i < n, we have ⊕2i t 2i−t zi = x y . t=0 For all 0 ≤ i < j ≤ n−1, the monomial xuy2i−u with 0 ≤ u ≤ 2i and the monomial xvy2j −v with 0 ≤ v ≤ 2j can not be equal, because for u ≠ v, they are diﬀerent, obviously, and for u = v we have 2i − u ≠ 2j − v. □ The following results are derived from Theorem 4.5. Corollary 4.6. Suppose that F2n → Fn f : 2 2 , f(x, y) = x + y (mod 2n). Then the number of all terms in vectorial ANF of f equals to n∑−1 ( ) 2i + 1 = 2n + n − 1. i=0 n Corollary 4.7. Suppose that z = x + y (mod 2 ) and a ∈ Z2n . Then the number of terms in Boolean function a.z equals to ( ) a ◦ 2n−1 + 1, ..., 3, 2 . Corollary 4.7. shows that, if we have a linear combination of the output of modular addition, how we can obtain the number of terms in the component Boolean functions of this linear combination. Corollary 4.8. Suppose that F2n → Fn f : 2 2 , f(x, y) = x + y (mod 2n). Then this function is sparse in relation to a random vectorial Boolean F2n → Fn function g : 2 2 , i.e. 2n + n − 1 lim = 0. n→∞ n22n−1 12 S. M. Dehnavi et al.

Here, n22n−1 is the expected number of monomials in the ANF of a F2n Boolean function with domain 2 . 8 Example. Suppose that x, y ∈ Z28 and w = x + y (mod 2 ). If z = w ⊕ (w ≫ 3) ⊕ (w ≫ 5), then we have 0 3 5 n(z0) = (2 + 1) + (2 + 1) + (2 + 1) = 44, 7 4 2 n(z7) = (2 + 1) + (2 + 1) + (2 + 1) = 151. Theorem 4.9. Suppose that F2n → Fn f : 2 2 , z = f(x, y) = x + y (mod 2n). Then for all i, 0 ≤ i < n, we have ( ) ⊕2i ∏i−1 ∏ ¯ ⊕ k−1 ¯ t tk r=0 tr zi = x yk . t=0 k=0 ∏ (0,...,0) −1 ¯ Here, we deﬁne (0, ..., 0) := 1 and r=0 tr := 1. Proof. According to Theorem 4.4, for all i, 0 ≤ i < n, we have ⊕2i ⊕2i t 2i−t t t¯+1 zi = x y = x y . t=0 t=0

Now, if we denote the j-th bit of t¯+ 1 by [t¯+ 1]j, then we have ∏−1 [t¯+ 1]0 = t¯0 ⊕ 1 = t¯0 ⊕ t¯r, r=0 and according to (3.1), for all j, 1 ≤ j ≤ i − 1, we get

[t¯+ 1]j = t¯j ⊕ cj, cj = t¯j−11j−1 ⊕ cj−1 (t¯j−1 ⊕ 1j−1) . Thus, ∏i−1 c1 = t¯0, cj = cj−1t¯j−1 = t¯r, 3 ≤ j ≤ i − 1. r=0 So for all j, 0 ≤ j ≤ i − 1, we have j∏−1 [t¯+ 1]j = t¯j ⊕ t¯r. r=0 Cryptographic Properties of Addition 13

Therefore, ∏i−1 ∏ ¯ ⊕ k−1 ¯ t¯+1 tk r=0 tr y = yk . k=0 □

In the proof of the following theorem, we present a formula for the ANF of component Boolean functions of modular addition. This formula is somehow presented in [6], but we use another method to prove this formula. Theorem 4.10. Suppose that n > 3 and, F2n → Fn f : 2 2 , z = f(x, y) = x + y (mod 2n). Then we have    ⊕    zn−1 = xn−1 ⊕ yn−1 ⊕  (Tixiyi) , 0≤i≤n−2 Ti∈Ai where Ai = {tn−2...ti+1|tj ∈ {xj, yj}, i + 1 ≤ j ≤ n − 2}. Proof. According to Theorem 4.9, we have 2⊕n−1 2n⊕−1−1 t t¯+1 t t¯+1 zn−1 = x y = xn−1 ⊕ yn−1 ⊕ x y . t=0 t=1 We notice that for 1 ≤ t ≤ 2n−1 − 1, we have 0 ≤ p(t) ≤ n − 2. So, ⊕ t t¯+1 zn−1 = xn−1 ⊕ yn−1 ⊕ x y . 1≤p(t)≤n−2 By Theorem 4.9, if p(t) = k, then,

t = (tn−2, ..., tk+1, 1, 0, ..., 0),

t¯+ 1 = (t¯n−2, ..., t¯k+1, 1, 0, ..., 0). This shows that p(t) = p(t¯ + 1) and their remaining bits in binary representation are complement of each other. This ends the proof. □ As a result of the Theorem 4.10, we have: 14 S. M. Dehnavi et al.

Corollary 4.11. Suppose that z = x + y (mod 2n). Then the number d−2 of terms of degree d, 1 < d ≤ n in the ANF of zn−1 equals to 2 and there are two monomials of degree one. Theorem 4.10 presents the ANF of the output of the component Boolean functions of modular addition modulo a power of two. This relation contains more information than the representation which was presented in [3].

5. Conclusion

The operation of modular addition modulo a power of two is one of the most applied operations in symmetric cryptography. For example, modular addition is used in RC6, MARS and Twoﬁsh block ciphers and RC4, Bluetooth and Rabbit stream ciphers. In this paper, we examined statistical and algebraic properties of modular addition modulo a power of two. At ﬁrst, we obtained the probability distribution of modular addition carry bits and conditional probability distribution of these carry bits. Then, using these probability distributions and Markovity of modular addition carry bits, we computed the joint probability distribution of arbitrary number of modular addition carry bits. We investigated algebraic properties of modular addition with a constant and we obtained the number of terms along with the algebraic degrees of the component Boolean functions of the output of modular addition with a constant. Lastly, we presented another formula for the ANF of component Boolean functions of modular addition modulo a power of two. This new formula contains more information than representations which have been presented in cryptographic literature, up to now.

References

[1] Bluetooth SIG, Speciﬁcation of the Bluetooth System, Version 1.1, 1 Febraury 22, 2001, available at http://www.bluetooth.com. [2] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen and O. Scavenius: Rabbit: A New High- Performance Stream Cipher, Proceedings of Fast Software Encryption 2003, Springer, Berlin, (2003). [3] A. Braeken, I. Semaef, The ANF of Composition of Addition and Multiplication mod with a Boolean function , FSE’05, LNCS 2887, pp. 290-306, Springer Verlage, 2005. [4] C. Burwick, D. Coppersmith, E. DAvingnon, R. Gennaro, Sh. Halevi, Ch. Julta, S. M. Matyas. Jr, L. OConnor, M. Peyravian, D. Saﬀord, N. Zunnic, MARS Cryptographic Properties of Addition 15

a Candidate Cipher for AES, Proceeding of 1st Advanced Encryption Standard Candidate Conference, Venture, California, Aug. 20-22 1998. [5] Carlet, C., ”Vectorial Boolean Functions for Cryptography”, in Boolean Mod- els and Methods in Mathematics, Computer Science, and Engineering.: Cam- bridge University Press, 2010, pp. 398-469, available at http://www.math.univ- paris13.fr/ carlet/chap-vectorial-fcts-corr.pdf [6] Xu, K., Dai, Z., and Dai, Z., ”The formulas of coefficients of sum and product of p-adic integers with applications to Witt vectors”, available via http://arxiv.org/pdf/1007.0878v1.pdf [7] R. L. Rivest, The RC4 encryption algorithm, RSA Data Security, Inc., Mar., 1992. Proceeding of 1st Advanced Encryption Standard Candidate Conference, Venture, California, Aug. 20-22 1998. [8] R. L. Rivest, M. J. B. Robshaw, R. Sidney, Y. L. Yin, The RC6 Block Cipher, Proceeding of 1st Advanced Encryption Standard Candidate Conference, Venture, California, Aug. 20-22 1998. [9] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C.Hall, N. Fer- guson, Twofish: A 128-Bit Block cipher, 1998, Available via http://www.counterpane.com/twofish.html.